mobile device mismanagement

© 2014 NTT Com Security

Stephen Breen-Public-Approved

Mobile Device MismanagementVulnerabilities in MDM Solutions and their impact

Stephen Breen06 AUG 2014

© 2014 NTT Com Security 2Stephen Breen-Public-Approved

Bios

Stephen Breen• Senior Consultant

Christopher Camejo• Director of Assessment Services

8/6/14


Contents

Intro

MDM market

How this started

What we found

What can we do about it

8/6/14

© 2014 NTT Com Security 4Stephen Breen-Public-Approved© 2014 NTT Com Security

Intro

8/6/14


Everything increases the potential attack surface – even security products

• Neel Mehta - 2014• SSL/TLS supposed to protect communication channels• Vulnerability results in a false sense of securityHeartbleed• Feng Xue - “Attacking Antivirus” - Black Hat Europe 2008• Vulnerabilities within AV allow full system compromise • Write malware that gets into the network through the virus scannerAntivirus• Stefan Viehböck - 2013• Vendor hardcoded root backdoor accounts in firewalls, VPNs, etc.• Your own security products can be turned against youBarracuda• Sebastien Andrivet - “The Security of MDM Systems” - Hack In Paris 2013• More web interface vulns plus attacks on the device communicationsMDM

8/6/14


MDM market

8/6/14


What is Mobile Device Management?

BYOD MDM

Device locating

Remote wipe

Policy Enforcement

Easy to lose

Privately owned

Insecure configurations

Mobile devices used to access corporate

information

Security Software to manage employee

mobile devices

8/6/14


Deployment Data

No plans to deploy12%

Don't know6%

Evaluating39%

In the process of deploying

17%

Deployed26%

What's the status of mobile device management software at your com-

pany?Approximately 180 million Enterprise BYOD devices globally

Expected to increase 390 million by 2015.

The U.S. region will lead the market with an estimated 68 percent of the overall market share.

MDM market will grow 23.3% over the next five years.

82% of companies surveyed looking into MDM

• Data: InformationWeek 2013 Mobile Device Management and Security Survey of 307 business technology professionals, September 2012

8/6/14


Usage data

ERP

Human resources applications

SaaS or cloud business apps

Corporate wiki or social network

CRM

Databases

Corporate File Servers

VPN

Office Applications

Email

20%

21%

24%

28%

29%

31%

41%

48%

61%

95%

What Company Assets Do You Access Via Mobile Devices?

Data: InformationWeek 2013 Mobile Device Management and Security Survey of 307 business technology professionals, September 2012

8/6/14


Products

Top-right quadrant: 0 CVE results• Doesn’t mean there are no

vulnerabilities• Could mean nobody is looking

Some products share a common backend• They likely share common

vulnerabilities8/6/14


How this started

8/6/14


The value of a good pen test

Pen testing a client with MDM deployed

Found default credentials on MDM console

Found previously unknown remote code execution in console

Hooray/uh-oh

Pen testing a client’s mobile devices with MDM

Simple jailbreak detection bypass.

Find lots of vulnerabilities – PoC to compromise all Domain users plaintext passwords

Hooray/uh-oh

8/6/14


Vendor Relations

Hard to test MDM• Most vendors don’t give out demo products• Not much tooling or information available to pen

testers

Findings disclosed to vendors• Patches have already been issued and will continue

to be issued based on the issues we have identified

8/6/14


What we found

8/6/14

…minus the details


First Glance

• Android’s lack of standard does not imply it’s better, - just product specific vulnerabilities

We focused on iOS MDM because it uses a standard protocol

• Most of the code on the mobile device is part of iOS• The protocol is standardized but the implementations vary• The server software is also written by the vendor

iOS enforces an API for MDM

• It’s possible to implement reasonably secure MDM on iOS – the protocol seems solid

Vendor code is where vulnerabilities have slipped in

• More room for the vendors to make mistakes• Android implementations may be much worse than iOS

Android doesn’t have an MDM API

8/6/14

© 2014 NTT Com Security

iOS MDM API Enrollment – How it works

Enrollment is the process by which a device becomes managed by MDM

iOS Uses 3 distinct Phases for enrollment:

• Authentication – The user authenticates to the MDM server• Certificate Enrollment – The device and server exchange crypto keys• Device Configuration – The server applies configuration changes to the device

Typically occurring over HTTP

8/6/14Stephen Breen-Public-Approved 16


iOS MDM API Enrollment – Negotiation Issues

Issues:• Doing enrollment without encrypting communications• Easily ignored certificate errors• Predictable tokens• Tokens remain valid for re-enrollment forever• Token leakage (external services and improper

handling)

Result:• Compromising tokens results in user impersonation

8/6/14


iOS MDM API Communication – How it works

Apple

MDM Server

I have a message for device X

X

8/6/14



Apple

MDM Server

X

MDM Server has a message for you… (APNS)

8/6/14



Apple

MDM Server

X

You called?

8/6/14



Apple

MDM Server

X

Do stuff and/or take this sensitive data…

• Domain Credentials• WPA2 PSK• Configuration settings• …

8/6/14


iOS MDM API Communication – Commands

Control Device Info Configuration Device -> Server

Lock List Profiles Install Profile Token Update

Clear Passcode Installed Applications Remove Profile Authenticate

Wipe Certificate List Install Application CheckOut

Provisioning Profiles Remove Application Status

Restrictions Settings

Managed Applications Install Provisioning Profile

Security Information Remove Provisioning Profile

8/6/14


iOS MDM API Communications – Negotiation Issues

• Send fake messages on behalf of devices• DoS MDM service by changing tokens• Tell server devices don’t want to be enrolled

anymore• Trick server into issuing wipe commands• Steal profile data (AD credentials, WPA keys,

etc.)

MDM-Signature

not available in some products

• Can remotely intercept sensitive data going from the server to the device

• Domain credentials (plaintext?!), WPA2 pre-shared keys, other sensitive configuration information…

Payload encryption disabled in

some products

8/6/14


iOS MDM API Communications – Negotiation Issues

• SQLi• XXE• We were able to create a BURP

extension to automatically generate spoofed MDM-Signature headers

Injection Flaws

• Not all signature validation methods are created equal

• Some products may not link keys to users

• Some products may not check issuing CA

Flawed Signature Validation

8/6/14


What does this mean?

8/6/14


For Users:

• “Everybody else is doing it” isn’t a business need.

Don’t deploy anything unless there’s a business need

• When was the last time you had somebody look for zero-day vulnerabilities in a software product you bought?

Due diligence (e.g. pen testing) of products before you choose and deploy

• Hardened configuration• Vulnerability management program• Monitoring logs and alerts for suspicious activity

Proper care and feeding of things you’ve deployed

8/6/14

Everything increases attack surface, even security products


For Users:

• More than vulnerability scanning• APT are looking for zero-days, you should too• Keep in mind this all started at a client during a routine pen test

Real pen testing

• Security isn’t about throwing more fancy boxes on the network, those are just tools

• In order for tools to be effective they need to be deployed appropriately and have operators who know how to use them (and have the time)

• If you don’t know where your risk is you can’t deploy tools appropriately

Look at risk across the organization

8/6/14


For Product Vendors:

• Everything is webified so your devs better eat/breathe/sleep OWASP• Pen test your own products (before somebody does it for you)• Your customers shouldn’t be your QA team• If your QA team doesn’t know how to find vulnerabilities then find somebody who can

Software Development LifeCycle

• We can reverse-engineer your protocol faster than you wrote it• So can the bad guys

Don’t rely on security by obscurity

• Certificates, tokens, signatures, and encryption exist for a reason, use them• If you’re making your own version of any of those: you’re doing it wrong

Authenticate all the things

8/6/14


Q&A

• There are patches for many of these issues but people need time to apply them

• And some of these issues may still be unpatched• But we would be happy to pen test your MDM deployment

No, we won’t name vendors

8/6/14

Stephen Breen

• Senior Security Consultant• NTT Com Security• [email protected]

mobile device mismanagement

Technology